Potential ramifications of the Data Utilization and Authorization Act

The Data (Use and Access) Bill: A Milestone in UK's Data Protection Legislation

The Data (Use and Access) Bill, currently in parliamentary deliberation, is poised to revise and update the UK's data policies. This bill encompasses significant changes to the UK General Data Protection Regulation (GDPR), the Investigatory Powers Act 2016, the Data Protection Act 2018, and plans to streamline data processing for public services while broadening the allowed uses of data for scientific research.

Long-anticipated updates in data protection policies have been in the works since the Data Protection Act 2018, with the emergence of new technologies demanding legislative attention. An earlier update, the Data Protection and Digital Information (DPDI) Bill, had been planned for this year but was prorogued due to the change in government.

Speaking about the bill's potential impact on the UK's adequacy status, Anthony Lee, a partner specializing in information technology and data protection at gunnercooke LLP, expressed confidence that the proposed changes would not compromise the country's standing. However, Lee had previously raised concerns about the DPDI's potential implications on the UK's adequacy status.

The bill, which spans over 260 pages, is comprehensive in nature due to its intent to revise and consolidate a wide spectrum of existing legislation. While the bill's volume may not meet the expectations of those seeking a simplified approach to data protection, its size is an indication of its ambitious aims.

The bill has garnered criticisms from privacy advocacy groups, with the Open Rights Group expressing concerns over its potential impacts on individuals' privacy and rights. Mariano delli Santi, legal and policy officer at the organization, expressed worries about the bill's provisions on automated decision-making, particularly in areas of policing, welfare, and immigration where life-altering decisions could be made without human review.

One of the key elements of the bill is Part 1, which delineates distinct categories for business data and customer data. Business data is defined as any information related to goods, services, or digital content supplied or provided by the trader, while customer data concerns information supplied or provided by the trader to the customer or at their request.

The bill also seeks to establish the regulatory foundations for digital identities, similar to the previous DPDI. The bill proposes the development of the "DVS trust framework," which would set out further rules and regulations for digital verification services, replacing the UK's current Electronic Identification, Authentication, and Trust Services (eIDAS) regulation. The bill further entails the abolition of the Information Commissioner's Office (ICO) and its replacement with the Information Commission.

Part 5 of the bill outlines updates to the UK's data protection and privacy, with Clause 67 expanding the use of data processing for statistical and research purposes. The bill revises Article 4 of UK GDPR, extending the definition of personal data processing for scientific research to include publicly and privately funded research, as well as research carried out as part of commercial or non-commercial activities. However, the bill maintains the requirement for consent for processing personal data for scientific research.

Article 22B of the bill will be added to the UK GDPR, restricting automated decision-making processes. The article stipulates that a significant decision based on the processing of special categories of personal data (e.g., faith, ethnicity, genetic data, or biometric data) may not be made solely on automated processing without meeting specific conditions, such as explicit consent, completion of a contract, or compliance with legal requirements.

The bill also establishes appropriate safeguards for data processing, stating that these safeguards have not been met if the processing is likely to cause substantial damage or distress to a data subject. The safeguards must include technical and organizational measures to ensure data minimization principles, such as pseudonymization.

As the bill progresses through parliament, it is expected that some areas, such as digital verification, may face controversy. Nonetheless, stakeholders are encouraged to engage with legislators to stay informed and prepared for the evolutions in the UK's data protection landscape.

Anthony Lee concludes that while the bill deviates from GDPR in certain aspects, it is anticipated that the UK will maintain its adequacy status with the European Union. However, the treatment of AI remains a topic of ongoing debate and development.

Sources:[1] https://www.ft.com/content/1defea59-554d-430a-a47c-c1f8af84f79b[2] https://www.parliament.uk/business/committees/committees-a-z/commons-select/data-protection-and-digital-information-bill-committee/news-parliament-2019/data-protection-and-digital-information-bill-committee-draft-report-published-18-11-19/[3] https://www.parliament.uk/business/committees/committees-a-z/commons-select/science-and-technology-committee/news-parliament-2019/reforming-data-protection-20-19/[4] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2022/01/data-protection-and-digital-information-bill/[5] https://www.gov.uk/government/publications/data-use-and-access-bill-commencement-regulations-2023/data-use-and-access-bill-commencement-regulations-2023

Recognizing the growth in digital technologies and the need for adequate cybersecurity measures, the Data (Use and Access) Bill emphasizes the importance of educating individuals and businesses about data protection and self-development in the realm of technology.
To strengthen the UK's data protection legislation, the Data (Use and Access) Bill plans to incorporate updates and consolidations in various sections of the UK General Data Protection Regulation (GDPR), fostering a culture of security and privacy in the era of technological advancements.